Samba 4 DC for Hyper-V R2 Cluster - Kerberos prroblems

Michael Wood esiotrot at gmail.com
Fri Jan 20 09:04:10 MST 2012 

On 20 January 2012 15:07, Alessandro <alexvl at tiscali.it> wrote:
> Thanks Michael,
>
> I'm going to test it.

No problem.  It won't solve your problem, but at least the logging
will be very slightly better (unless I made a mistake).

> On Jan 20, 2012, at 08:37 , Michael Wood wrote:
>
>> Hi
>>
>> I don't know the answer, but perhaps the following patch will help
>> with at least making more sense of:
>>
>>> Failed find a entry for (null)
>>
>> I have not tested it, though.
>>
>> From 14fb3e9dd91ba09a4bfced93d7274227431692fc Mon Sep 17 00:00:00 2001
>> From: Michael Wood <esiotrot at gmail.com>
>> Date: Fri, 20 Jan 2012 08:30:18 +0200
>> Subject: [PATCH] Log short_princ instead of uninitialised filter.
>>
>> ---
>> source4/kdc/db-glue.c |   11 ++++++-----
>> 1 files changed, 6 insertions(+), 5 deletions(-)
>>
>> diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
>> index ae93b75..77c8430 100644
>> --- a/source4/kdc/db-glue.c
>> +++ b/source4/kdc/db-glue.c
>> @@ -1363,7 +1363,6 @@ static krb5_error_code
>> samba_kdc_lookup_server(krb5_context context,
>>
>>        } else {
>>                int lret;
>> -               char *filter = NULL;
>>                char *short_princ;
>>                const char *realm;
>>                /* server as client principal case, but we must not
>> lookup userPrincipalNames */
>> @@ -1386,16 +1385,18 @@ static krb5_error_code
>> samba_kdc_lookup_server(krb5_context context,
>>                                       DSDB_SEARCH_SHOW_EXTENDED_DN |
>> DSDB_SEARCH_NO_GLOBAL_CATALOG,
>>
>> "(&(objectClass=user)(samAccountName=%s))",
>>
>> ldb_binary_encode_string(mem_ctx, short_princ));
>> -               free(short_princ);
>>                if (lret == LDB_ERR_NO_SUCH_OBJECT) {
>> -                       DEBUG(3, ("Failed find a entry for %s\n", filter));
>> +                       DEBUG(3, ("Failed to find an entry for %s\n",
>> short_princ));
>> +                       free(short_princ);
>>                        return HDB_ERR_NOENTRY;
>>                }
>>                if (lret != LDB_SUCCESS) {
>> -                       DEBUG(3, ("Failed single search for for %s - %s\n",
>> -                                 filter, ldb_errstring(kdc_db_ctx->samdb)));
>> +                       DEBUG(3, ("Failed single search for %s - %s\n",
>> +                                 short_princ,
>> ldb_errstring(kdc_db_ctx->samdb)));
>> +                       free(short_princ);
>>                        return HDB_ERR_NOENTRY;
>>                }
>> +               free(short_princ);
>>        }
>>
>>        return 0;
>> --
>> 1.7.0.4
>>
>> On 22 December 2011 21:14, Alessandro <alexvl at tiscali.it> wrote:
>>> Hi Guys,
>>>
>>> I'm currently creating an Hyper-V R2 SP1 Cluster using Samba 4 (alpha 17) as an external DC.
>>> The main reason to do that is that virtualing the DC needed by the cluster is not a great idea and paying an extra Windows Server license just for an external simple DC scenario is something tha a lot of people find irritating, considering that for the rest the Hyper-V stack is free.
>>>
>>> So far I'm impressed with the features and stability of Samba 4. I managed to succeed in getting the cluster validation "green", I had to fix some Kerberos problems by creating the relevant SPNs, but nothing too dramatic.
>>>
>>> My problem is that by creating the cluster, the Kerberos authentication between the nodes is not working and the cluster cannot be set up.
>>>
>>> Samba 4 setup:
>>>
>>> CentOS 6.0 x64
>>> Samba 4 alpha17
>>> Bind 7.2.0 (the outdated one coming with CentOS 6.0)
>>>
>>> Dynamic DNS updates not set
>>> Records for cluster name and cluster nodes statically created
>>> Time synchronization between DC and nodes ok
>>>
>>>
>>> Here are some logs from the Hyper-V R2 SP1 cluster nodes:
>>>
>>> Event ID 1570
>>> Node 'HV2' failed to establish a communication session while joining the cluster. This was due to an authentication failure. Please verify that the nodes are running compatible versions of the cluster service software.
>>>
>>> Event ID 1280
>>> Sponsor tried to Create Security Context using Package='Kerberos' with Context Requirement ='133122' and Timeout ='30000'
>>>
>>> Event ID 1281
>>> Joiner tried to Create Security Context using Package='Kerberos' with Context Requirement ='83990' and Timeout ='30000' for the target = 'HV2'
>>>
>>>
>>> And here are some logs from Samba4 using a -d 5 level:
>>>
>>>
>>> (normal if no LDAP backend) Could not find entry to match filter: '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such object: (null)
>>> auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[HV2$]@[HV2]
>>> map_user_info: Mapping user [MYDOMAIN]\[HV2$] from workstation [HV2]
>>> auth_check_password_send: mapped user is: [MYDOMAIN]\[HV2$]@[HV2]
>>> auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
>>> [0000] 35 7B 87 F7 C2 E6 A1 70                            5{.....p
>>> ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
>>> authsam_account_ok: Checking SMB password for user HV2$
>>> logon_hours_ok: No hours restrictions for user HV2$
>>> gendb_search_v: DC=MYDOMAIN,DC=local NULL -> 1
>>> auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\HV2$] succeeded
>>> dreplsrv_notify_schedule(5) scheduled for: Thu Dec  8 00:55:13 2011 EET
>>> dreplsrv_notify_schedule(5) scheduled for: Thu Dec  8 00:55:18 2011 EET
>>> Kerberos: TGS-REQ HV2$@MYDOMAIN.LOCAL from ipv4:10.73.75.61:60923 for HV1 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
>>> Failed find a entry for (null)
>>> Kerberos: Searching referral for HV1
>>> Kerberos: Server not found in database: HV1 at MYDOMAIN.LOCAL: No such entry in the database
>>> Kerberos: Failed building TGS-REP to ipv4:10.73.75.61:60923
>>> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0:0.92
>>> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: TGS-REQ HV1$@MYDOMAIN.LOCAL from ipv4:10.73.75.60:55743 for HV2 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
>>> Failed find a entry for (null)
>>> Kerberos: Searching referral for HV2
>>> Kerberos: Server not found in database: HV2 at MYDOMAIN.LOCAL: No such entry in the database
>>> Kerberos: Failed building TGS-REP to ipv4:10.73.75.60:55743
>>> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>>
>>>
>>> Any suggestion is highly welcome!!
>>>
>>>
>>> Thanks,
>>>
>>> Alessandro Pilotti
>>> MVP ASP.Net / IIS
>>
>> --
>> Michael Wood <esiotrot at gmail.com>
>> <0001-Log-short_princ-instead-of-uninitialised-filter.patch>

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list